>>>>> "DS" == Dave Shield writes:

DS> I'm inclined to leave things as they stand - this feels a more secure
DS> arrangement, and is probably in line with default expectations. But
DS> it does result in a minor change in behaviour, so I wouldn't object if
DS> the consensus was to switch back to the previous, more open
DS> configuration.

[same text posted to a different note, but I'll repeat it in the
proper thread... In short I'm against the functionality change as I
don't see a reason for it. It doesn't buy you any more security; the
introduction of the ability does, but not the modification of the
default as long as it's documented.]

I actually think it should authorize all by default. That's what it's
done before and it's a behavior change. Had it been a bad thing, I'd
of course say otherwise. But I think the default user case will be to
authorize access to all contexts. The rouser, etc, cases are already
convenience wrappers likely to be used by people authorizing a user to
access to almost everything. Contexts also have not been a common way
to separate different security data areas.

The *ability* to limit to a context is certainly important, but I
don't think it needs to limit to just "" by default. Assuming that's
what's going on, because I'm speaking without having read the code of course.

Wes Hardaker
Sparta, Inc.

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
Net-snmp-coders mailing list